Study on eid Interoperability for PEGS: Update of Country Profiles Analysis & assessment report

(1)

Study on eID Interoperability for PEGS:

Update of Country Profiles

Analysis & assessment report

(D2.1 Report on analysis and assessment of similarities and

differences;

D2.2 Report on impact on eID interoperability)

(2)

This report / paper was prepared for the IDABC programme by:

Coordinated by: Hans Graux (time.lex), Jarkko Majava (Siemens), Eric Meyvis (Siemens)

Contract No. 1, Framework contract ENTR/05/58-SECURITY, Specific contract N°12

Disclaimer

The views expressed in this document are purely those of the writer and may not, in any circumstances, be interpreted as stating an official position of the European Commission.

The European Commission does not guarantee the accuracy of the information included in this study, nor does it accept any responsibility for any use thereof.

Reference herein to any specific products, specifications, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favouring by the European Commission.

All care has been taken by the author to ensure that s/he has obtained, where necessary, permission to use any parts of manuscripts including illustrations, maps, and graphs, on which intellectual property rights already exist from the titular holder(s) of such rights or from her/his or their legal representative.

This paper can be downloaded from the IDABC website:

http://ec.europa.eu/idabc/en/home

http://ec.europa.eu/idabc/en/document/6484

Reproduction is authorised, except for commercial purposes, provided the source is acknowledged.

(3)

Executive summary

Introduction

The current study – entitled ‘eID Interoperability for PEGS: Update of Country Profiles’ – aims to collect information on eID practices and developments in the Member States, EEA countries and the candidate countries Turkey and Croatia, with a view of comparatively analysing these and providing specific inputs on quick wins that these countries could implement to establish a certain degree of interoperability.

As the name indicates, the project builds on the information collected in the 2007 IDABC study on eID Interoperability for PEGS, in which similar information was collected. The current study aims to update that information, and to add specific new information, including specifically on authorisation/mandate management solutions, mobile identification, and eID in eHealth/eJustice applications. The present report contains the analysis and assessment of the collected national information, to determine any patterns in the national approaches and to derive a set of constraints with regard to electronic identity management for eGovernment applications.

Main findings with regard to the analysis and assessment of similarities and differences

As with the 2007 edition, this report examines the available identity resources and solutions, along with the legal and technical choices made at the national level. The main findings can be summarised as follows.

Identity resources

With regard to identity tokens, the study found that 13 out of 32 surveyed countries are deploying government supported eID cards, including however a group of six countries relying on eID cards issued by private CSPs with a public sector mandate (Austria, Iceland, Liechtenstein, Luxembourg, the Netherlands and Sweden); in the seven others eID cards are issued by public bodies (Belgium, Estonia, Finland, Italy, Lithuania, Portugal and Spain). In addition to these, 12 countries currently have paper ID cards, but have eID card plans for the near future. Five countries currently do not issue identity cards (Denmark, Ireland, Latvia, Norway and the UK), but plans to issue eID cards in some form exist in all but Denmark. Thus, eID cards will become increasingly common in the next few years. When looking at the use of biometrics, 5 countries out of 32 report actually using biometrics (Italy, Lithuania, the Netherlands, Portugal and Spain), in each case relying on fingerprint data (in hashed form in the Italian case). Lithuania and the Netherlands did not yet have fingerprints stored or their eID means in the 2007 edition of this study; in both cases, the change relates to an update of their respective identity cards. A majority of the surveyed countries (20 of 32 countries, 63%) have not made any plans for biometrics yet, and the use of biometric data has not been reported as an authentication method for specific eGovernment applications in any country.

Usage of mobile phones for authentication purposes in eGovernment applications is similarly still largely at an experimental stage: while eight countries (Austria, Estonia, Lithuania, the Netherlands, Norway, Poland, Slovenia and Turkey) have mobile phone based identification solutions available, a clear majority of 21 out of 32 countries are not using mobile phone identification and have no plans to change this in the near future.

Apart from available authentication means, the study also examined the use of national identifiers, defined as any code, string or number that is assigned to a specific entity for the purposes of uniquely identifying that entity among all other similar entities within a specific user group defined below. All countries use general identifiers, i.e. identifiers that are not restricted to use within one specific application or sector; however, they apply vastly different standards for the lawful use of such identifiers. A number of countries consider that public sector issued identifiers should be protected

(6)

against trivialisation through private sector use, as this would create a privacy risk. Additional legal protection regimes were reported in 20 of the 32 surveyed countries (63%). Legal regimes in at least two countries (Germany and Hungary) oppose the use of general identifiers for identification purposes on constitutional grounds. This means that the systematic use of general identifiers for the cross border identification of natural persons is a legally complex issue.

This study also examined the acceptance of an authentic source principle (i.e. the policy that each specific identity attribute should have one and only one authentic source, making all other sources for that attribute obsolete). Formal acceptance of an authentic source principle is thus altogether uncommon, and was reported in only 6 countries out of 32 (19%), virtually equal to the 2007 edition of the study (5 out of 32). A further 10 countries (31%) had informally adopted the principle (as compared to 9 in 2007), with another 3 (10%) planning to do so (idem as in 2007).

Authentication systems

Next, the study examined the use of authentication systems, both PKI systems and username/password systems.

For PKI systems, a distinction is made between public sector controlled PKI systems and public/private partnerships. For the purposes of this report, the distinction lies in the allocation of the function of the registration authority who verifies the identity of the party requesting the PKI token. A total of 17 countries out of 32 (53%, 3 more countries than in 2007) reported using public sector controlled PKI systems as defined above, with a total of 22 systems being reported (+6 compared to 2007). Of these 22 systems, 15 were open to private sector use (68%). 20 countries out of 32 (62,5%, 4 more countries than in 2007) reported using public/private sector controlled PKI systems as defined above. Given the involvement of the private sector, it is unsurprising that all of these could also be used in the private sector. Combining both tables, a sizable majority of 27 out of 32 countries (84%, three more than in 2007) have reported using PKI systems (either public or public/private controlled) for the purposes of entity authentication.

Username/password systems (including through two factor authentication and time specific password calculators) also remain very popular. In total, 22 countries out of 32 (69%) have reported using login systems as a key component of their eIDM strategy (one more than during the 2007 study), with 28 systems in total being reported (+1 compared to 2007). Most of these (20) were single factor username/password systems; the others were multifactor systems relying on password lists (7 systems), password calculators (2 systems, in each case bank authentication systems); and mobile phone based authentication systems (2 countries; this excludes countries where mobile phones are used and presented as an electronic signature solution, rather than an electronic authentication solution.

To classify the reliability of these systems, some countries have adopted authentication policies defining specific levels of reliability. In 18 out of 32 countries (56%) some form of multilevel authentication policy can be recognised (+3 compared to 2007). This could be indicative of an increasing professionalization/consolidation of eID infrastructures, as it shows that more countries are becoming aware of the need to differentiate between existing eID solutions on a transparent and consistent basis. However, the number of formally adopted authentication policies remains very limited, being in place in only 5 out of 32 countries. The practical impact of authentication policies has been relatively limited thus far. It is worth noting that all authentication policies are currently focused on nationally available solutions, with only one country – Estonia – noting its ambitions to launch a project to develop assessment methods and criteria for assessing different eIDs, including foreign ones, likely through a formalised system of authentication levels.

(7)

Mandate management and authorisations

The study also showed that a systematic approach to mandate management and authorisation functionality – i.e. the ability to allocate, retract or verify specific permissions of a specific entity - in the examined eIDM systems was still altogether rare. 22 countries out of 32 (69%) have no form of mandate/authorisation management, other than the allocation of certificates or credentials to the representatives of a specific legal entity. 8 countries out of 32 (25%) have implemented an ad hoc form of mandate/authorisation management covering specific applications or service types; and only two countries have implemented systems of mandate/authorisation management which can be characterised as systematic: in Austria, an open approach to mandates based on signed XML records was adopted, and Belgium is currently implementing a systematic approach to managing authorisations. It should be noted however that both the Austrian and Belgian systems are operational, but are only taken up to a limited extent in eGovernment applications at this stage.

Legal/policy analysis

One of the main questions of the questionnaire was whether or not the surveyed country had any specific legal framework with regard to entity authentication. The underlying goal of this question was the identification of any legal definition of the concept of an identity, and more importantly, how an identity can be established in an electronic environment. It was generally expected that most countries would not have explicitly addressed this issue through regulatory initiatives, and this appears to be correct: only in Austria is the concept of identification legally defined. In addition, the Finnish report noted that a new Act on Electronic Authentication and Signatures was expected to be passed by the Parliament in September 2009. Other than these examples however, the regulatory frameworks generally only referenced electronic identification indirectly, including notably via eSignatures regulations; regulations in relation to available infrastructure (electronic identity cards and official registers, most notably); and regulations which reference any national authentication policies.

As noted above, such policies are rarely elevated to more than nonbinding policy statements. However, their main appeal lies in the possibility of generalisation to abstract norms, allowing each common European eIDM solution to be given an authentication level classification. As a final stage, applications could then request the use of specific authentication levels, rather than specific authentication solutions. It is worth noting that the Estonian report indicated the intention to launch a project to develop assessment methods and criteria for assessing different eIDs, including foreign ones, likely through a formalised system of authentication levels. Similarly, the Austrian eGovernment Act already provides for the option of recognising the equivalence of foreign eID solutions based on qualified electronic signatures, and in Estonia plans exist to explore this possibility to create a policy for accepting foreign qualified certificates both for authentication and for digital signing. Thus, at least in some countries, there is a strong support for exploring the interoperability potential of qualified signatures for authentication functionality as well.

Technical/infrastructural analysis

The study examined the current level of technical eID infrastructures in the surveyed countries. The main focus of the study was to build a complete picture of the used eID infrastructure. This was achieved by layering eID infrastructure into three main layers.

The first examined layer was the user (citizen) and how he/she is affected by the surveyed country eID infrastructure, including the implications of the citizen aspect for interoperability in general. The citizen aspect needed to answer both local user (user accessing services from home country) challenges and visiting citizen (user accessing services from another county) challenges.

The received responses (as examined in section 4.6) indicated that no common specification exists for tokens and application middlewares. The study showed that hardware tokens were not specified in 19 countries out of 32 (59.5%) and middleware applications were not specified in 20 countries out of 32 (62.5%), apart from the fact that some of the surveyed countries had specified which type of tokens (in

(8)

some cases other that hardware based) and middleware applications were accepted in the country. Only few of the surveyed countries had specified their tokens with a deep and strict set of standards. The second examined layer was the actual operational layer, in which identity provider and service provider play the key role. The operational layer needed to answer what forms of electronic identities are used in the surveyed countries and how these are controlled and managed. This layer also needed to answer which types of services are used with electronic identities.

The received responses (as examined in section 4.6. indicated that 28 countries out of 32 (87.5%) are either using or planning to use some sort of certificate based identities. Only 4 out of 32 (12.5%) have no close future plans to integrate certificates into their national identity infrastructure. The other examined section in operational layer were the real eGovernment applications used in the surveyed countries, and this survey also confirmed the popularity of the certificate based solutions. The national infrastructure tables showed high numbers of PKI based eGovernment applications. 22 (68%) of the 32 surveyed countries have implemented some level of certificate based authentications into their eGovernment services and only 7 of the surveyed countries did not have any specific eGovernment applications to present (it should be taken into account that there is an obvious uncertainty in this figure, because deployment in this area is rapid).

The third examined layer was the back-office layer, in which industrial identity management standards play the key role. The correspondences were asked, which of the recognised (previously studied in other reports of this project) industrial identity standards were used (if any).

The received responses (as examined in section 4.7.1.1) indicated that in the area of the industrial identity management standards the surveyed countries have still lot to do. It should also be noted that because of the complexity of such systems there could be some implemented and selected standards which were not reported by the correspondents. The study showed that only 9 countries out of the 32 (28%) had selected some of the specified standards; the main finding is thus that 23 out of the 32 (72%) did not have any expressed preference for specific industrial standards. The only standard showing some popularity between the surveyed countries was SAML, as the study indicated that 7 out of the 32 (22%) preferred SAML as a protocol).

eIDM in eHealth and eJustice applications

At the application level, the country profiles also examined the maturity of eID solutions in two specific application fields, namely eHealth and eJustice.

With respect to eHealth, 18 operational applications were reported in 16 countries. 10 of these related to the general eHealth eID infrastructure, reusable across a number of eHealth application fields; 2 reported on predominantly social security/administrative applications; and 6 reported specific applications (typically applications allowing the management of and access to electronic health records). Looking at the authentication means reported in these 16 countries, hard crypto tokens are the predominant form of electronic authentication, being reported in 11 out of 16 countries. Obviously, the availability of eHealth cards or health care professional cards is a strong enabler in this respect, as is e.g. the case for Croatia (CIHI card), Germany (EGK and HBA card), Italy (EIC and NSC card), and the Netherlands (card). These cards serve to determine the capacity of the signatory (e.g. the UZI-card is only available to health care professionals registered in the Dutch UZI-Register), meaning that interoperability is much harder to achieve in this field. Soft crypto tokens are significantly less common, being used in three countries.

In relation to eJustice, 14 operational applications in 13 countries were reported, 6 of which related to court proceedings and court administration; 3 related to the establishment and management of companies; and 5 related to authentic document archiving services. Here too, hard crypto tokens were again the predominant form of electronic authentication, being reported in 8 out of 12 countries.

(9)

Main findings with regard to the impact on eID interoperability

Legal/policy findings

As noted above, while specific regulations exist that refer to the need to identify a specific entity (such as the national transpositions of the e-Signatures Directive) or that prescribe which documents and registers are kept to identify specific entities (such as laws with regard to identity cards, national numbers, national registers etc.), the concepts of identity, identification and authentication as defined for the purposes of this study have remained largely unregulated in most countries. From a cross-border perspective, this means that a number of fundamental building blocks are missing, including notably a consensus on which types of information could be used to establish or corroborate an identity, and how the reliability of identity infrastructures could be determined.

Electronic signatures can fill this void to some extent. An examination of national authentication policies shows that a number of countries indicate that the concept of a qualified signature is considered to be the highest level of authentication, with anything else being considered a lower level. Thus, the status of a qualified certificate is also used de facto as a quality label in an authentication context. As the concept of a qualified certificate is a European one, at least this top level of an authentication policy could be applied in a cross border context to establish trust. However, it should not be overlooked that the eSignatures Directive itself does not directly address entity authentication: while e-Signatures can be used as a tool for entity authentication, the more fundamental question of how an entity is identified is not resolved.

This also implies that there is no clear national concept of electronic identity in most countries, nor a European one. None the less, a common European interpretation on the semantics behind the concept of electronic identity is necessary, if only to ensure that a consistent set of identity information can be exchanged when needed and permissible. Without this, at a minimum for legal persons and natural persons, application owners are forced to decide on a case by case basis which information they need, and how they should interpret the information they received.

One of the key remaining interoperability barriers is the cross border use of protected unique identifiers for electronic identity management. Several countries actively oppose the use of generic and non-sector specific identification numbers for natural persons, including e.g. Germany and Hungary (which both oppose generic identity numbers on constitutional grounds), or only permit the use of such identifiers in specific authorised contexts, which never include cross border use cases. This is also one of the key problems currently being explored in STORK: how can users be uniquely identified, other than by relying on national identity numbers which may not be re-usable at the cross border level for legal reasons? Several options are being explored at the present stage, but it is not yet clear how these will be used in practice. This is one of the open issues which will also be explored in the remainder of this study, including possibly through the drafting of a Memorandum of Understanding.

A second remaining challenge is the fact that a country offering an authentication mechanism must offer sufficient guarantees that the information that its system provides is correct and reliable. Currently, this is not always the case, neither in relation to unique identifiers (where accidental double allocations of one number to two different entities are rare, but not completely unheard of) nor in relation to identity databases (where duplicate/incorrect data is still occasionally observed). This is a particularly thorny issue in the field of identity management in a cross border perspective: regardless of the authentication solution being used (smart card, username/password, two factor,...), there must be some form of legal guarantee with regard to the accuracy of the identity information being provided through the system. This implies that a European level authentication assurance policy is needed, and that national identity infrastructures must be ensured to be sufficiently reliable.

These are also questions that are currently also being explored in the STORK project, via the definition of a Quality Authentication Assurance scheme that can be used to classify national identification solutions. In addition, STORK is assessing to what extent national assurances are needed in relation to

(10)

the national components of a cross border identity infrastructure, and how these can be formalised (e.g. via supervision or accreditation processes)?

Finally, cross border eIDM requires that sufficient safeguards should be built in to ensure that the identity attributes of natural persons remain under their control as far as possible; i.e. the data subject remains the data owner, and he/she alone can decide to give her identity attributes in stewardship to private sector users. In practical terms however, this is extremely challenging at the cross border level, since all existing challenges that already exist at the national level remain (including lack of knowledge and awareness with participants in the systems), and new challenges are added (including language barriers when attempting to obtain informed consent from an end user for an authentication process and the possible clash between national legal regimes). These issues are being explored in the context of the STORK project as well, and will also be a part of the remaining work planned for the present study.

Technical/infrastructural findings

During the previous study the technical survey we sent to the correspondents followed a three layered approach to pan-European identity management architecture. These layers were the citizen layer, the operational layer and the back-office layer. So the presented questions and impact of the analysis result will be presented using same approach.

On the citizen layer the most challenging question is achieving true interoperability on the citizen token, the citizen identity and the middleware levels, as analysis shows that the underlying technical framework around the citizen layer is incomplete. A consensus should be reached on the hard token level, since this is the token model gaining the most popularity around the surveyed countries, but the current implementations are not interoperable. There are two possible solutions for this problem. A commonly agreed hard token standard should be used, specifically in countries which are implementing new eID schemes (i.e. harmonisation of new solutions). The second challenge is to build interoperability around the already implemented eID schemes (i.e. creating interoperability between existing solutions). As the analysis shows there already has been some effort to create interoperability between the surveyed countries around the middleware application layer. These effort should be studied and more focus and pressure should be put on already existing European level standards, both on middleware and on tokens.

From the operational layer the analysis shows that there is currently a high variety of authentication methods in use. This was noticed already in previous (year 2007) study and due to that a authentication policy model was created. The resulting pan-European interoperable authentication mechanism should support all variations of authentication methods, more focus should be put on introducing this authentication level model to Member States. It is clear that there is a real need on a common concept of authentication levels. These levels should indicate that citizens will be able to access different eGovernment services based on the security level of their authentication mechanism. On this study we can see that this is still a valid question, it is true that more countries are selecting the certificate based authentication, but we can also see that this is not happening in all countries. Instead some of the countries have tightened their internal implementation around their own token type. A consensus must be reached on how to connect different eID and token approaches. The analysis shows that two different eID approaches are used. A pan-European eID system needs to connect both decentralized and centralized approaches. Thus as the centralized model becomes more popular in Member States, it becomes more important to find ways of making single authentication point solutions (gateway models) available in each country. Connecting countries with decentralized approaches that do not have any (federated) singe authentication point solutions available will require more complicated trust structures at the European level as well.

At the same time guidance for best practices needs to be built. In respect of interoperability it is important to have a common pan-European solution to suggest to the countries currently without any eID infrastructure.

(11)

On the back-office layer the analysis shows that there is no commonly agreed direction for industrial identity management standards. As described above, the survey shows that only few of the surveyed countries have selected any of the many available standards. The lack of commonly agreed tokens and eIDM profiles is challenging. A common structure of tokens needs to be drafted during the on-going projects. In some cases transformation services might still be required on a gateway level, so that current or future usage of other standards can be supported.

Finally, it is essential to include future infrastructural plans of Member States within a European Level identity Management scheme.

It is important to create a basic proof of concept, an informational model for Member States how European level interoperable system can be built, and to specify a set of rules that evolving Member States should take into account what developing their identity frameworks so that interoperability would be realized in the most efficient manner and require a minimum level of additional development. Semantic interoperability needs to be achieved. Member States need to commonly agree on a set of rules on how eID schemes are developed. System interoperability in communication and syntax of transmitted data needs to be stable. Once achieved, the interoperability in the exchange of data should not be adversely affected by evolutions of one Member State’s eID infrastructure.

(12)

1 Documents

1.1 Applicable Documents

[AD1] Framework Contract ENTR/05/58-SECURITY

1.2 Reference Documents

[RD1] eGovernment in the Member States of the European Union – 5th Edition – May 2006

http://ec.europa.eu/idabc/servlets/Doc?id=24769

[RD2] European Electronic Signatures Study

http://www.law.kuleuven.ac.be/icri/itl/es_archive.php?where=itl

[RD3] DIRECTIVE 1999/93/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 13 December 1999 on a Community framework for electronic signatures

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31999L0093:EN:NOT

[RD4] Decision 2003/511/EC of 14 July 2003 on the publication of reference numbers of generally recognised standards for electronic signature products in accordance with Directive 1999/93/EC of the European Parliament and of the Council, OJ L 175, 15.7.2003, p.45

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2003:175:0045:0046:EN:PDF [RD5] IDABC Study on eID Interoperability for PEGS

http://ec.europa.eu/idabc/en/document/6484

[RD6] DIRECTIVE 2004/18/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 31 March 2004 on the coordination of procedures for the award of public works contracts, public supply contracts and public service contracts

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32004L0018:EN:NOT

[RD7] DIRECTIVE 2004/17/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 31 March 2004 coordinating the procurement procedures of entities operating in the water, energy, transport and postal services sectors

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32004L0017:EN:NOT [RD8] IDABC Work programme 2005-2009 (sixth revision)

http://ec.europa.eu/idabc/servlets/Doc?id=32115 [RD9] CROBIES study

(15)

(16)

2 Glossary

2.1 Definitions

1

In the course of this report, a number of key notions are frequently referred to. To avoid any ambiguity, the following definitions apply to these notions and should also be used by the correspondents.

o Entity: anyone or anything that is characterised through the measurement of its attributes in an eIDM system. This includes natural persons, legal persons and associations without legal personality; it includes both nationals and non-nationals of any given country.

o Identity: the dynamic collection of all of a single entity’s attributes; by definition, an entity has only one identity.

o Electronic identity or eID: an electronic representation of a certain subset of one or more attributes pertaining to an entity. While an entity has only one identity, it may have many electronic identities. It should be noted that eIDs can take many forms, and can be stored on many different types of media. An electronic identity or eID is not synonymous with an eID card: an eID card is only one of many tokens that can be used to support an eID.

o eIDM system: the organisational and technical infrastructure used for the definition, designation and administration of identity attributes of entities. This Profile will only elaborate on eIDM systems that are considered a key part of the national eIDM strategy. Decentralised solutions (state/region/province/commune…) can be included in the scope of this Profile if they are considered a key part of the national eIDM strategy.

o eIDM token (or ‘token’): any hardware or software or combination thereof that contains credentials, i.e. information attesting to the integrity of identity attributes. Examples include smart cards/USB sticks/cell phones containing PKI certificates, …

o Authentication: the corroboration of the claimed identity of an entity and a set of its observed attributes. (i.e. the notion is used as a synonym of “entity authentication”).

o Authorisation: the process of determining, by evaluation of applicable permissions, whether an authenticated entity is allowed to have access to a particular resource.

o Unique identifiers: an attribute or a set of attributes of an entity which uniquely identifies the entity within a certain context. Examples may include national numbers, certificate numbers, etc.

1_{Based on the Modinis Common Terminological Framework for Interoperable Electronic Identity}

(17)

o Official registers: data collections held and maintained by public authorities, in which the identity attributes of a clearly defined subset of entities is managed, and to which a particular legal of factual trust is attached (i.e. which are generally assumed to be correct). This includes National Registers, tax registers, company registers, etc.

o eGovernment application: any interactive public service using electronic means which is offered entirely or partially by or on the authority of a public administration, for the mutual benefit of the end user (which may include citizens, legal persons and/or other administrations) and the public administration. Any form of electronic service (including stand-alone software, web applications, and proprietary interfaces offered locally (e.g. at a local office counter using an electronic device)) can be considered an eGovernment application, provided that a certain degree of interactivity is included. Interactivity requires that a transaction between the parties must be involved; one-way communication by a public administration (such as the publication of standardised forms on a website) does not suffice.

o eSignature: data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication with regard to this data, as defined in the eSignatures Directive2_.

o Advanced electronic signature: an electronic signature which meets the following requirements, as defined in the eSignatures Directive:

(a) it is uniquely linked to the signatory; (b) it is capable of identifying the signatory;

(c) it is created using means that the signatory can maintain under his sole control; and (d) it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable;

o Qualified electronic signature: advanced electronic signatures which are based on a qualified certificate and which are created by a secure-signature-creation device, as defined in the eSignatures Directive.

o Validation: the corroboration of whether an eSignature was valid at the time of signing.

(18)

2.2 Acronyms

A2A...Administration to Administration A2B...Administration to Businesses A2C...Administration to Citizens CA...Certification Authority CRL ...Certificate Revocation Lists CSP ...Certificate Service Provider eID ...Electronic Identity

eIDM ...Electronic Identity Management

IAM ...Identity and Authentication Management IDM ...Identity Management

OCSP ...Online Certificate Status Protocol OTP ...One-Time Password

PEGS...Pan-European eGovernment Services PKCS...Public-Key Cryptography Standards PKI...Public Key Infrastructure

SA...Supervision Authority

SOAP...Simple Object Access Protocol

SCVP ...Server-based Certificate Validation Protocol SSCD...Secure Signature Creation Device

USB ...Universal Serial Bus TTP...Trusted Third Party

XAdES...XML Advanced Electronic Signature XML ...eXtensible Markup Language XML-DSIG ...XML Digital Signature

(19)

3 Introduction

3.1 Scope and objectives of the study

The current study – entitled ‘eID Interoperability for PEGS: Update of Country Profiles’ – aims to collect information on eID practices and developments in the Member States, EEA countries and the candidate countries Turkey and Croatia, with a view of comparatively analysing these and providing specific inputs on quick wins that these countries could implement to establish a certain degree of interoperability.

As the name indicates, the project builds on the information collected in the 2007 IDABC study on eID Interoperability for PEGS, in which similar information was collected. The current study aims to update that information, and to add specific new information, including specifically on authorisation/mandate management solutions, mobile identification, and eID in eHealth/eJustice applications.

3.2 General methodology of the study

As with the 2007 edition, the current update study consists of 3 different phases.

• In a first stage comparable country profiles for each country were collected and validated. These should describe the main eGovernment policies and ambitions in relation to electronic identity management, and will serve as the input for further analysis. These country profiles were collected and validated as a part of WP1 of this study, and have been published on-line at http://ec.europa.eu/idabc/en/document/6484.

• Secondly, the profiles must be analysed and assessed, to determine any patterns in the national approaches and to derive a set of constraints with regard to electronic identity management for eGovernment applications. This aspect is dealt with by the current report, which is an update of the comparable 2007 report.

• Finally, based on the first two phases, the study team will try to identify and describe any ‘quick wins’ that could be taken up at the national level, and will try to draft an MoU that Member States could adopt to improve cross border acceptance of eID tokens/resources. Efforts in relevant projects (including specifically the STORK project) and any barriers identified therein will be considered to ensure the effectiveness and impact of this work.

Of course, reports such as these are only possible through the assistance of local experts who are capable and willing of providing information with regard to their legal frameworks and administrative practices. The Study team especially wants to acknowledge the contributions of the following authors for each of the country profiles:

E.U. Member States

Country Author(s)

Profile draft date (date of receipt or last update)

Austria Herbert Leitold (A-SIT) 14/05/2009

Belgium Prof. Jos Dumortier and Hans Graux (time.lex Law Offices) 01/09/2009 Bulgaria George Dimitrov (Dimitrov, Petrov & Co Law Offices) 16/05/2009 Cyprus Olga Georgiades (Lexact Business & Legal Solutions) 11/05/2009 Czech Republic Lucie Urbanova (Ministry of Interior, Czech Republic) 15/05/2009

(20)

Denmark Dr. Henrik Udsen (University of Kopenhagen) 09/09/2009 Estonia Tarvi Martens (AS Sertifitseerimiskeskus) 15/05/2009

Finland Teemu Rissanen (Conseils Oy) 14/05/2009

France Fanny Coudert (time.lex Law Offices) 01/09/2009

Germany Hajo Bickenbach (2B Advice GmbH) and Jörg Apitzsch (bremen online services GmbH & Co. KG) 11/06/2009

Greece Eleni Kosta (time.lex Law Offices) 18/05/2009

Hungary Mr. Tibor Szabó (Hungarian Senior State Secretariat for Infocommunication) 22/06/2009

Ireland Profs. Maeve McDonagh and Fidelma White (University College Cork) 20/05/2009 Italy Davide M. Parrilli (time.lex Law Offices) 1/09/2009 Latvia Agris Repss and Inese Rendeniece (Sorainen Law Offices) 22/05/2009

Lithuania Sergejs Trofimovs and Renata Beržanskienė (Sorainen Law Offices) 10/12/2009 Luxemburg Claire Léonelli (Molitor, Fisch & Associés Law Offices) 15/05/2009 Malta Paul Gonzi and Antonio Ghio (Fenech and Fenech Law Offices) 27/05/2009 The Netherlands Dr. Nathan Ducastel (HEC – Het Expertise Centrum) 20/05/2009

Poland Marcin Kalinowski (Unizeto) 25/08/2009

Portugal Pedro Simões Dias 14/05/2009

Romania Peter Buzescu (Buzescu Ca. Law Offices) 18/05/2009

Slovakia Zuzana Halasova 01/09/2009

Slovenia Alenka Zuzek (Dr. Alenka Zuzek Nemec, Dept. of International Relations, Ministry of Public Administration) 12/09/2009 Spain Cristina De Lorenzo (Sánchez Pintado & Núñez) 31/07/2009

Sweden Prof. Christine Kirchberger (Swedish Law and Informatics Research Institute , University of Stockholm) 19/05/2009 United Kingdom Richard Trevorah (xidm Limited) 15/05/2009

EEA

Country Author(s)

Iceland Haraldur A Bjarnason (Ministry of Finance) 19/05/2009

Liechtenstein

Norbert Ospelt (“IT-Technology, IT-Security, EU/EEA" Unit, Information Technology Service, Office of Human and

Administration Resources) and Hans Graux (time.lex Law Offices)

24/08/2009

Norway Thomas Myhr (Norwegian Broadcasting Corporation (NRK)) 02/09/2009

Candidate countries Country Author(s)

Croatia Dr. Leda Lepri (Central State Office for Administration) 13/05/2009

Turkey

Prof. Leyla Keser (Istanbul Bilgi University) and Ilhan Hatipoglu ( Turkish General Directorate of Civil Registration and Nationality - Department of Data Processing)

30/10/2009

3.3 Goal of this document

This document (“Analysis and Assessment of similarities and differences”) concerns the second phase outlined above.

(21)

• Section 4: Report on analysis and assessment of similarities and differences. Based on the information in the country profiles, this section will analyse the similarities and differences in the planned eID schemes in each country both with regard to the legal framework, and on the technical implementation aspects. This analysis will identify any common trends, approaches or strategies in deploying eIDM solutions on a national scale.

• Section 5: Report on impact on eID interoperability. This section contains an impact

assessment of the similarities and differences, along with potential issues in relation to interoperability of eID solutions and hence of the supported eGovernment applications.

(22)

4 Analysis

4.1 Identified National Identity Resources

In this first section of the analysis report, we will describe the identity resources (both electronic and traditional) commonly used for the purposes of identity management in each of the surveyed countries. The main purpose of this section is to illustrate the resources that the countries have at their disposal to create and maintain eIDM systems. Both electronic and non-electronic solutions have been included in this overview, since the Study is not merely concerned with current solutions, but also with future possibilities. For this reason, it is important to know what the main components of a country’s identity infrastructure are (including identity cards, national registers, etc.), even if these are not (yet) being used in an electronic context. In order to determine the use of such resources for European interoperability purposes, any doubts or reservations expressed by the correspondents with regard to any particular resource have also been noted in the tables below (usually in the ‘Status’ column). It should be noted that the correspondents were asked to report the main means of identification (electronic or otherwise) being used in their countries. The tables below are therefore not necessarily exhaustive; however, all identification means which form a substantial part of a country’s electronic identification plans are included.

Five different categories of identity resources will be examined in the section below:

• Section 4.1.1: identity tokens, i.e. eIDM tokens as defined in the glossary above which are made available to the end users (natural persons and/or business) for the purpose of identifying or authenticating them towards an eGovernment application;

• Section 4.1.2: national identifiers, i.e. unique identifiers as defined in the glossary above which are used to identify an entity in a specific eGovernment context;

• Section 4.1.3: identity registers, i.e. official registers as defined in the glossary above which contain specific attributes in relation to specific entities;

• Section 4.1.4: biometrics, i.e. an analysis of the extent to which biometric identification/authentication tools are being used in eGovernment applications (other than the mandatory biometric passports);

• Section 4.1.5: mobile phone based identification, i.e. an analysis of the extent to which mobile phone based identification/authentication tools are being used in eGovernment applications.

In each section, we will provide a summary overview, along with preliminary conclusions on key trends and observations.

(23)

4.1.1 Identity Tokens

This section will describe which identity tokens (if any) are commonly distributed to entities in the surveyed countries. As defined above, tokens include “any hardware or software or combination thereof that contains credentials, i.e. information attesting to the integrity of identity attributes”. Apart from identity cards, examples can thus include USB sticks or cell phones containing PKI certificates, or the certificates themselves. Each of these will be examined separately in the section below.

4.1.1.1 Traditional (paper based) cards

This section provides an overview of paper card tokens without electronic token functionality (i.e. plain paper cards without smart card functionality that makes it suitably for electronic identification/authentication in eGovernment applications) being used in the surveyed countries. Specifically, the overview reports:

• Any government issued national ID cards in use. If the card is being replaced or is planned to be replaced by an electronic ID card, this is reported in the ‘Status’ column; with further details provided in section 4.1.1.2. below);

• Any other paper cards which are not generic ID cards and contain no chip or electronic component, but which are none the less used for electronic authentication. Specifically this includes paper cards with codes printed on them for the purposes of two factor authentication (password lists). It should be noted that these can also be issued by private sector entities. The overview does not include smart cards (section 4.1.1.2.), sector specific tokens (section 4.1.1.4.), user group specific tokens (section 4.1.1.5.); or paper cards that are not used for electronic authentication in eGovernment applications (such as chipless drivers licenses, social security cards, etc.).

The main purpose of this table is to determine which countries issue identity cards (and might therefore show a smaller socio-cultural barrier to introducing electronic ID cards as an authentication token, if they are not already doing so); and to determine to what extent that paper tokens are used as authentication tools in e-government applications.

In the table below, changes in comparison to the 2007 edition of the study are marked in yellow. The following countries have been found to issue paper based identity cards (or other paper card types):

Country Description User group Mandatory / Roll-out

Status

Belgium National ID card Belgians over the

age of 12; non-nationals mandated to reside in Belgium

Mandatory Replacement by the eID

card (see below) will be complete by the end of 2009. Similar cards exist for non-nationals, which are also being replaced by equivalent eID cards. Federal token (not

an identity card) Persons with an ID card (see above) and SIS card (see below)

Optional Is being phased out in

favour of the eID card

(24)

and natural persons

with permanent

residence in

Bulgaria

natural persons are not yet planned.

BULSTAT card Companies,

non-profit organisations, public institutions, other kinds of legal entities, branches of foreign company, and self-employed Mandatory (although holders may elect to receive an electronic BULSTAT card instead of a paper one).

Holders may elect to

receive an electronic

BULSTAT card instead.

Croatia National ID card Croatian nationals

over the age of 14 Mandatory Deployed. eID cards are planned for 2010.

Cyprus National ID card Cyprus nationals

and natural persons

with permanent

residence in Cyprus

Mandatory Deployed. Smart cards3

were traditionally deemed unlawful, but in March 2008 procedures were initiated to introduce eIDs / smart cards for public services. These plans are still in an early stage.

Czech Republic

National ID card Czech nationals

and natural persons

with permanent

residence in the Czech Republic

Mandatory Deployed. New ID cards

are proposed in the draft Act on ID cards. A new plastic ID card should replace current paper ID cards. This card will come into two versions – a plastic card without chip and a smart card.4

Estonia Bank token (not an

identity card) Banking customers Optional Currently frequently than the eID used more card in a number of eGovernment applications; public policy favours the eID card in the future

Finland Finnish Banker’s

Association paper token (TUPAS)

Banking customers Optional Currently used more

frequently than the eID card.

France National ID card French citizens

over the age of 16 (non-nationals receive a residence card)

Optional Scheduled to be replaced

by an eID card

Germany Identity Card

(Personalausweis) German over the age of 16 citizens Mandatory Scheduled to be replaced by an eID card in November 2010 (delayed by 1.5 years)

Greece National ID card Greek citizens over Mandatory Deployed. No specific

3_{In March 2008, the Cyprus Government has initiated the procedures to introduce electronic}

identification/authentication (eID, smart cards) for public services in order to realize seamless access to public services across borders.

(25)

the age of 12 plans for eID cards yet.

Hungary National ID card Any person in the

population register over the age of 14

Optional Likely to be replaced by an

eID card in the future. Personal

identification and address certificate

Any person in the population register over the age of 14

Optional Contains the personal

identification number

Iceland National ID card Any person in the

population register over the age of 14

Mandatory Deployed. Contains the

SSN, which is the basis for identity management.

Italy National ID card Italian citizens over

the age of 15; foreigners

mandated to reside in Italy

Optional Gradually being replaced

by the eID card on a region by region basis (see below).

Liechtenstein National eID card Liechtenstein

citizens Optional Deployed on 23 June 2009

Lithuania National ID card Lithuanian citizens

over the age of 16 Mandatory Currently being replaced by an eID card (since 1 January); see below.

Luxembourg National ID card Luxembourg

citizens over the age of 15

Mandatory Deployed. No specific

plans for an eID card yet.

Malta National ID card Maltese citizens

over the age of 14 Mandatory Planned to be replaced by the eID card.

The

Netherlands

National ID card Dutch citizens over

the age of 14 Optional (citizens must carry an identity document; but this may also be e.g. a passport

or drivers’

license).

Plans to replace the card with an eID card are

currently under

(re-)consideration.

Poland National ID card Polish citizens over

the age of 18, or over the age of 15 if they are employed

or legally

independent

Mandatory Scheduled to be upgraded

to an eID card by 2011.

Portugal National ID card Citizens over the

age of 6 (and Brazilian citizens

covered by the

Treaty of Porto

Seguro)

Mandatory Gradually being replaced

by an eID card since 14 February 2007.

Romania National ID card

(Carte de identitate) Citizens over the age of 14 Mandatory Scheduled to be replaced by an eID card from 2011.

Slovakia National ID card Citizens over the

age of 15 Mandatory Planned to be replaced by an eID card.5

Slovenia National ID card Citizens over the

age of 18 (or Optional (citizens must carry an Planned to be replaced by an eID card.6

5_{The chip will only be included if the person will apply for it. Otherwise they will receive only the}

(26)

younger if the

parents apply for it) identity document; but this may also be e.g. a passport

or drivers’

license).

Spain National ID card

(“Documento

Nacional de

Identidad”, “DNI”)

Spanish citizens

over the age of 14 Mandatory Currently being replaced by the eID card.

Turkey National ID card Turkish citizens Mandatory Deployed

UK National ID card All person over the

age of 16 who is or

wishes to be

resident in the

United Kingdom.

Optional For UK citizens, the

intention is that the first identity cards will be issued in 2009.

The table above shows that:

• Out of 32 countries, 24 have a paper token identified as a identity card; 17 of which are mandatory, and 7 of which are optional;

• Of the countries which have a paper identity card, 17 have decided to introduce electronic identity cards (eID cards): 6 of these are already issuing eID cards to the public (Belgium, Italy, Liechtenstein, Lithuania, Portugal and Spain); and 11 have scheduled to do so in the near future or are presently running pilots on a smaller scale. In addition, the introduction of an eID card is under consideration in the Netherlands, but without specific plans yet at the present stage.

• Finally, in 3 out of 32 countries, a paper card other than a national ID card plays a significant role in on-line authentication. Interestingly, in all of these countries (Belgium, Estonia, and Finland), smart cards are already available to the public. Additionally, in Estonia and Finland the popularity of the paper cards is reported to exceed those of the smart card. However, the examples of Belgium, Estonia and Finland illustrate that eID cards do not necessarily become the sole option for electronic authentication: while the Belgian eID card is intended to replace the paper token in the medium term, the timing for the phase-out for Estonia has not been determined, and no specific plans for eliminating the paper token have been identified for Finland.

In comparison to the 2007 edition, some interesting developments can be noted:

• Since the previous edition, two countries have begun issuing eID cards: Liechtenstein and Lithuania both began issuing eID cards in the first half of 2009.

• For a number of countries (including Cyprus, the Czech Republic, Malta, Slovakia, Slovenia and the UK), plans for an eID card have moved forward significantly, although no cards are issued yet at the present stage.

6_{In 2008 existing regulations were amended with provisions regarding introduction of an eID card}

enabling integration of an ID card, qualified certificates and a health insurance card. However, since the project was suspended these provisions aren’t being used yet and it is anticipated that they will have to be changed if (when) the project continues because the project of introducing the new generation of health insurance cards continues independently.

(27)

• The Portuguese eID card moved from issuing in a limited number of regions to a generalised availability across the Portuguese territory.

• Some delays were also noted, including in Germany, Romania and the Netherlands, with the former two delaying eID cards by a year or more, and the Netherlands reconsidering its eID plans altogether on the basis that private sector cooperation might prove to be a suitable and more cost effective approach. In Germany, a general concept for an eID card has been published in 2008. The ID Card Act (Personalausweisgesetz) containing all necessary legal changes has passed parliament in February 2009 and will be published soon. Pilots have been started, and issuance is expected to begin in 2010.

Important note: this table cannot be used as a overview of eID cards in the surveyed countries. It only provides information with regard to eID cards for countries that are issuing national paper ID cards, and does not include countries such as e.g. Austria or Estonia where eID cards have fully replaced paper ID cards or where national ID cards were not issued to begin with, such as Denmark. Therefore, to assess the popularity of eID cards, section 4.1.1.2. directly below should be consulted, where a full overview and analysis of the ID card situation is provided.

(28)

4.1.1.2 Electronic identity cards

In this section, we will take a closer look at electronic identity cards (i.e. smart cards, containing a chip or other electronic component that can be used for electronic authentication) being issued or considered in the surveyed countries.

It should be noted that it is possible for a country to be present in section 4.1.1.1. directly above but not in section 4.1.1.2. (i.e. because it has no eID plans yet); and inversely that a country is in the table below but not above (i.e. because it has an eID card, but not a paper national identity card, such as Austria or Estonia).

Additionally, it should be noted that the table below uses a broad notion of electronic eID card: it includes any eID card issued by public administrations, but also cases where the eID card was issued by a private CSP with a specific government mandate (e.g. in Luxembourg and Liechtenstein), or where smart cards can be activated to be used in eGovernment applications though a decision from a governmental body (e.g. the Austrian Bürgerkarte can be issued by private sector parties, but it must be activated as a Bürgerkarte by a decision of the Austrian SourcePIN authority, which is part of the Austrian data protection authority).

Finally, it should be noted that in a number of instances (e.g. in Hungary and Italy), the presented solution is not a specific smart card, but a series of standards that can be used to create compliant cards. In the case of Austria, the solution need not even be a card per se (although for the purposes of the table below, only smart cards are considered).

The following countries have been found to issue electronic identity cards, or are planning to do so in the near future:

Country Description User group Mandatory / Roll-out

Status

Austria Citizen Card (Bürgerkarte)

– note: the citizen card can also take other forms than a smart card; it is a concept (i.e. a series of norms that can be implemented as several possible tokens).

Natural persons registered in Austria

Optional Deployed. Note that the system relies on signature certificates in combination with unique identifiers.

Belgium National eID card (BELPIC) Belgian citizens

over the age of

12; non-nationals mandated to reside in Belgium Mandatory Deployed Czech Republic

National eID card Czech citizens Optional - non electronic and electronic cards will be made available, and each citizen can decide which one to use.

Planned. The Act on ID cards 328/1999 is in the draft phase.

Croatia National eID card Citizens over 14 Mandatory Planned for

(29)

FINA eID card All businesses and natural persons Optional Deployed, issued by the Croatian Financial Agency; contains two certificates: authentication and signature.

Estonia National eID card Estonian

citizens; foreigners residing permanently in Estonia Mandatory over the age of 15; optional below 15 Deployed; rollout is complete

Finland National eID card (FINEID) Finnish citizens

and

non-nationals registered in Finland.

Optional Deployed, but rarely used7

France National eID card (INES –

planned; not yet deployed) French citizens (no age limit) Under consideration Design stage

Germany Electronic Identity Card

(Personalausweis) (planned for 2010; not yet deployed)

German citizens over the age of 16

Mandatory Final design stage

Hungary National eID card

(HUNEID). Note that this is a standard for smart cards, and can have any number of implementations (national ID card, health card, health practitioner card,…)

Natural persons registered in Hungary

Depends on the

implementation Design stage

Iceland National eID cards issued

by private CSPs under a common root

Natural persons having a SSN in Iceland

Optional Deployed, but limited uptake so far.

Ireland Public Service Card

(planned; not yet deployed) To be decided; likely natural persons subject to Irish health care and social services

To be decided A bidder was selected in June 2008; issuance will likely not begin before next year, subject to budgetary constraints.

Italy National eID card (carta d’identità elettronica - CIE)

Italian citizens

and foreigners Optional Deployed in a number of

7_{In Finland the current plan is to change from smart card based eID to certificates stored on}

(30)

that have been authorised to reside in Italy of 15 years or older. regions since 1 January 2006, but not yet universally available. Availability to foreigners is subject to local interpretation. National Service Card

(CNS). Note that this is a specification for smart cards, mainly aiming to ensure interoperability, not a card in itself8. Depends on the implementation, which is largely determined at the regional level Depends on the implementation, which is largely determined at the regional level Deployed. Conceived largely as a temporary solution until the CIE is universally available.

Latvia National eID card (planned;

not yet deployed)

Citizens that have reached the age of 15.

Mandatory Design stage; introduction of eID cards is planned for the first half of 2010.9

Liechtenstein National eID card Citizens of

Liechtenstein Optional Deployed on 23 June 2009

Lithuania National eID card Lithuanian

citizens over 16 Mandatory Deployed since 1 January 2009

Luxembourg Private sector smart cards

(LuxTrust cards) All natural and legal persons Optional Deployed

Malta National eID card (planned;

not yet deployed) Maltese citizens over the age of 14

Mandatory Design stage

The

Netherlands

National eID card (ENIK) Dutch citizens Optional (citizens must carry an identity document; but this may also be a passport or drivers’ license). Under (re-) consideration10. PKIoverheid certificates are qualified certificates issued on a SSCD with a

8_{The main examples of NSCs are the SISS}8_{project (Health card of Region Lombardy, with more than 9 million} cards issued) and the NSC issued in the Region Friuli Venezia Giulia8_.

9_{Was planned for the second half of the year 2008, but in the end of 2008, under a governmental action plan the} Secretariat of Special Assignments Minister for Electronic Government Affairs was assigned to redraft the previous concept regarding eID Cards.

10 Plans for a Dutch eID card were set back when the procurement process for an eID solution was successfully challenged before a Dutch court, meaning that the procurement would need to be restarted. Since then, debates have reopened on the benefits of an eID card solution, and specifically whether an extended and more systematic use of the existing DigiD-scheme might not be a preferable option.

Study on eid Interoperability for PEGS: Update of Country Profiles Analysis & assessment report